Krebs on Security

In-depth security news and investigation

SendGrid: Employee Account Hacked, Used to Steal Customer Credentials

Sendgrid, an email service used by tens of thousands of companies — including Silicon Valley giants as well as Bitcoin exchange Coinbase — said attackers compromised a Sendgrid employee’s account, which was then used to steal the usernames, email addresses and (hashed) passwords of customer and employee accounts. The announcement comes several weeks after Sendgrid sought to assure customers that the breach was limited to a single customer account.

On April 9, The New York Timesreported that Coinbase had its Sendgrid credentials compromised, and that thieves were apparently using the access to launch phishing attacks against Bitcoin-related businesses. Sendgrid took issue with the Times piece for implying that SendGrid had incurred a platform-wide breach. “The story has now been updated to reflect that only a single SendGrid customer account was compromised,” Sendgrid wrote in a blog post published that same day.

Today, Sendgrid published another post walking that statement back a bit, saying it now had more information about the extent of the intrusion thanks to assistance from data breach investigators:

“After further investigation in collaboration with law enforcement and FireEye’s (Mandiant) Incident Response Team, we became aware that a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015,” wrote David Campbell, Sendgrid’s chief security officer. Campbell continues:

“These systems contained usernames, email addresses, and (salted and iteratively hashed) passwords for SendGrid customer and employee accounts. In addition, evidence suggests that the cyber criminal accessed servers that contained some of our customers’ recipient email lists/addresses and customer contact information. We have not found any forensic evidence that customer lists or customer contact information was stolen. However, as a precautionary measure, we are implementing a system-wide password reset. Because SendGrid does not store customer payment cards we do know that payment card information was not involved.”

Sendgrid is urging customers to change their passwords, and to take advantage of the company’s multi-factor authentication offering. Sendgrid also said it is working to add more authentication methods for its two-factor security, and to expedite the release of special “API keys” that will allow customers to use keys instead of passwords for sending email through its systems.

Sendgrid manages billions of emails for some big brand names, including Pinterest, Spotify and Uber. This reach makes them a major target of fraudsters and spammers, who would like nothing more than to control whitelisted accounts capable of blasting out so much email each day.

In March 2015, U.S. prosecutors indicted three men in connection with the April 2011 compromise of commercial email giant Epsilon. Days after that break-in, customers at dozens of Fortune 500 companies began complaining of receiving spam to email addresses they’d created specifically for use with the companies directly served by Epsilon and its network of email providers.

This entry was posted on Monday, April 27th, 2015 at 4:51 pm and is filed under A Little Sunshine, Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

“Bitcoin related businesses” Wonderful news absolutely great to know that this pernicious system can be attacked – let’s hope that it can be totally destroyed in order that evil b—-rds such as Ransomware will have to look for other means to extort us.

Huh? This is an email service, used by Bitcoin related things, and other services in general. It has as much to do with Bitcoin as does your internet browser or Google search. Bitcoin in no way was attacked.

Secondly, Bitcoin is just a currency, same as US dollars or euros. Even if there was no Bitcoin, malware would simply ask for payment in a different currency.

Hmmm…. Yet another story to somehow link hacking to Bitcoin. And a new Bitcoin reader would be like- OMG = bad. I mean SendGrid has bigger and more popular company they host… And besides Coinbase was not compromised.

Too many ESP’s operating like mom & pop shops with as much security as using GUEST as their password. Live and learn. Bigger they are (marketer size) the cheaper they think they can buy services like email.